Software company’s unveiling of decryption key comes too late for many victims of devastating ransomware attack

Justice confirmed that the tool Kaseya has made widely available has worked for him. Kaseya spokesperson Dana Liedholm told CNN in a statement Friday that “fewer than 24 hours” elapsed between when it obtained the tool and when it announced its existence, and that it is providing the decryption key to the tech support firms that are its customers — which in turn will use the tool to unlock the computers of countless restaurants, accounting offices and dental practices affected by the hack.

In order to access the tool, Kaseya is requiring that businesses sign a non-disclosure agreement, according to several cybersecurity experts working with affected companies. While such agreements are not unusual in the industry, they could make it more difficult to understand what happened in the incident’s aftermath. Kaseya declined to comment on the non-disclosure agreements.

Frustration

Some businesses hit by REvil’s malware are frustrated with Kaseya’s rollout of the tool weeks after the initial attack, according to Andrew Kaiser, VP of sales for the cybersecurity firm Huntress Labs, which works with three tech support firms affected by the hack.

“I talked with a service provider yesterday,” Kaiser told CNN, “who said, ‘Hey listen, we’re a 10-to-20-person company. We’ve spent over 2,500 man-hours restoring from this across our business. If we had known there was the potential to get this decryptor a week or 10 days ago, we would have made very different decisions. Now, we’re down to only 10 or 20 systems that could benefit from this.”

Most firms in the same position have chosen to eat the costs of recovery rather than pass them along to customers, Kaiser said, meaning they may have wasted labor, time and money performing self-recovery in a crisis.

Even though some companies successfully recovered from the attack on their own, many others have struggled for weeks to no avail. The problem was compounded when REvil’s websites vanished, making it impossible to contact the group to make ransom payments or seek technical assistance. The group’s unexplained disappearance led to widespread speculation that the US or Russian government may have gotten involved, though neither country has claimed credit. US officials have declined to comment, and a spokesman for the Kremlin has denied any knowledge of the matter.

The cybersecurity firm GroupSense had been working with two organizations, a small-to-midsized private school and a law firm, which were left holding the bag when they could no longer communicate with REvil.

“We were in active negotiations with REvil when they went offline,” GroupSense’s director of intelligence, Bryce Webster-Jacobsen, told CNN earlier this week. “Immediately, what we got from the victims we were working with was, ‘Wait, hang on, what do you mean these guys are offline? What does that mean for us?'”

Other victims had already paid a ransom to REvil. One such organization had been struggling to operate the key it obtained from the group, said Critical Insight, a cybersecurity firm the victim hired to help. But with REvil’s sudden disappearance, the victim was stranded, according to Mike Hamilton, Critical Insights’s co-founder. The victim, which declined to be named and had no reliable backups, was dreading having to return to its customers asking for new copies of all the data it needed to complete its projects.

Kaseya’s announcement this week will likely mean the eventual restoration of these victims’ data. But that doesn’t change the resources they had to spend, and the gut-wrenching decisions they had to make, during the long stretch of time between when the attack occurred and when Kaseya announced a decryptor that the victims did not know was a possibility.

“An extra three, four, five days could be the difference between a business continuing to operate and them saying, ‘We can’t move forward,'” said Kaiser.

Conundrum for Biden administration

That kind of conundrum has factored into the Biden administration’s thinking as law enforcement and intelligence officials have explored taking ransomware groups offline, people familiar with the discussions said. The National Security Council in particular has been studying how to avoid indirectly hurting victims who may be unable to get their data back if the criminal groups are taken down or disappear.

The administration has increasingly moved to disrupt ransomware networks, track ransom payments and build an international coalition against cybercrime. But officials have steadfastly declined to say whether the US government played a role in REvil’s disappearance. The group, which is also accused of carrying out the recent ransomware attack on meat supplier JBS Foods, went offline soon after a senior administration official vowed that US authorities would take action against ransomware groups “in the days and weeks ahead.”

Basic cybersecurity hygiene is the best way for companies to inoculate themselves against ransomware, an NSC spokesperson told CNN. But for victims, the administration is considering how its developing ransomware strategy may affect them, the spokesperson said.

As more organizations take up Kaseya’s offer of a decryptor, it’s possible more will come to light about how the company came by the tool, Kaiser said.

Until then, cybersecurity experts have been left guessing as to what may have occurred. Multiple experts agreed that the theories largely fall into a few main buckets.

It is technically possible, but unlikely, that Kaseya or one of its partners managed to reverse-engineer the tool from the ransomware, said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security. Groups like REvil tend not to leave vulnerabilities in their code that can be exploited, he added.

A more plausible theory, he said, is that Kaseya received help from law enforcement officials. If REvil’s disappearance was in fact the result of a government-led operation, the authorities may have seized a decryptor they could use to help Kaseya, several cybersecurity experts said.

It is also possible that REvil itself could have handed over the decryptor, either voluntarily or under pressure from US or Russian authorities, said Kyle Hanslovan, CEO of Huntress Labs.

But the likeliest scenario is also the simplest one, Schmitt said: That Kaseya or someone acting on its behalf paid the ransom.

That raises further questions that Kaseya has not answered: Did the company pay a ransom? If so, when? If the company communicated with REvil after it disappeared, how did it communicate?

“There are a lot of scenarios that could’ve occurred, but we don’t have much information to say one way or another,” said Schmitt, who added that information about Kaseya’s response to the attack “could serve as a case study for future situations moving forward.”